CVE-2022-49228

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2022-49228
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-49228.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2022-49228
Downstream
Related
Published
2025-02-26T01:55:56Z
Modified
2025-10-15T19:44:59.021733Z
Summary
bpf: Fix a btf decl_tag bug when tagging a function
Details

In the Linux kernel, the following vulnerability has been resolved:

bpf: Fix a btf decl_tag bug when tagging a function

syzbot reported a btf decl_tag bug with stack trace below:

general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] CPU: 0 PID: 3592 Comm: syz-executor914 Not tainted 5.16.0-syzkaller-11424-gb7892f7d5cb2 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:btftypevlen include/linux/btf.h:231 [inline] RIP: 0010:btfdecltagresolve+0x83e/0xaa0 kernel/bpf/btf.c:3910 ... Call Trace: <TASK> btfresolve+0x251/0x1020 kernel/bpf/btf.c:4198 btfcheckalltypes kernel/bpf/btf.c:4239 [inline] btfparsetypesec kernel/bpf/btf.c:4280 [inline] btfparse kernel/bpf/btf.c:4513 [inline] btfnewfd+0x19fe/0x2370 kernel/bpf/btf.c:6047 bpfbtfload kernel/bpf/syscall.c:4039 [inline] _sysbpf+0x1cbb/0x5970 kernel/bpf/syscall.c:4679 _dosysbpf kernel/bpf/syscall.c:4738 [inline] _sesysbpf kernel/bpf/syscall.c:4736 [inline] _x64sysbpf+0x75/0xb0 kernel/bpf/syscall.c:4736 dosyscallx64 arch/x86/entry/common.c:50 [inline] dosyscall64+0x35/0xb0 arch/x86/entry/common.c:80 entrySYSCALL64afterhwframe+0x44/0xae

The kasan error is triggered with an illegal BTF like below: type 0: void type 1: int type 2: decltag to func type 3 type 3: func to funcproto type 8 The total number of types is 4 and the type 3 is illegal since its func_proto type is out of range.

Currently, the target type of decltag can be struct/union, var or func. Both struct/union and var implemented their own 'resolve' callback functions and hence handled properly in kernel. But func type doesn't have 'resolve' callback function. When btfdecltagresolve() tries to check func type, it tries to get vlen of its func_proto type, which triggered the above kasan error.

To fix the issue, btfdecltagresolve() needs to do btffunccheck() before trying to accessing funcproto type. In the current implementation, func type is checked with btffunccheck() in the main checking function btfcheckalltypes(). To fix the above kasan issue, let us implement 'resolve' callback func type properly. The 'resolve' callback will be also called in btfcheckalltypes() for func types.

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
b5ea834dde6b6e7f75e51d5f66dac8cd7c97b5ef
Fixed
a3bcd2110c087bc62e90fddd4a93237b049d6e68
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
b5ea834dde6b6e7f75e51d5f66dac8cd7c97b5ef
Fixed
796d5666f6422ddadc938fb888044fcc16f2dbe3
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
b5ea834dde6b6e7f75e51d5f66dac8cd7c97b5ef
Fixed
d7e7b42f4f956f2c68ad8cda87d750093dbba737

Affected versions

v5.*

v5.15
v5.15-rc1
v5.15-rc2
v5.15-rc3
v5.15-rc4
v5.15-rc5
v5.15-rc6
v5.15-rc7
v5.16
v5.16-rc1
v5.16-rc2
v5.16-rc3
v5.16-rc4
v5.16-rc5
v5.16-rc6
v5.16-rc7
v5.16-rc8
v5.16.1
v5.16.10
v5.16.11
v5.16.12
v5.16.13
v5.16.14
v5.16.15
v5.16.16
v5.16.17
v5.16.18
v5.16.2
v5.16.3
v5.16.4
v5.16.5
v5.16.6
v5.16.7
v5.16.8
v5.16.9
v5.17
v5.17-rc1
v5.17-rc2
v5.17-rc3
v5.17-rc4
v5.17-rc5
v5.17-rc6
v5.17-rc7
v5.17-rc8
v5.17.1

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.16.0
Fixed
5.16.19
Type
ECOSYSTEM
Events
Introduced
5.17.0
Fixed
5.17.2